24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc

Analysis

max time kernel
155s
max time network
161s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 07:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe
Size

1.9MB
MD5

84ecdc6ed6bbc62cc62153aad85f7c66
SHA1

6a5697f831fc5c0f92ae61bf01f1ff019fd75360
SHA256

24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc
SHA512

3fd4f80612c5527c487ea65f64e7b5e03bf34fc4662489ce8b6872c46be240aadceb404b12fe8b08a77baf4337a1c499a1c00dba751b31bad466d10f9c792791
SSDEEP

3072:qXJCFRSt63wPwWYhVTjJ5cHymR7w0YmS8O:LdnWYD95z4w0Dt

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1992	winlogon.exe
1484	winlogon.exe
1016	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defscangui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monwow.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvsvc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swnetsup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracerpt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antigen.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANOST.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-agnt95.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvapsvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pptbc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamserv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldscan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Restart.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwinnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavproxy.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wingate.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieDcomLaunch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSE.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsched32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neowatchlog.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscenu6.02d30.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmsrvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defalert.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neowatchlog.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fslaunch.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isrv95.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winroute.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killprocesssetup161.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1340-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1340-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1340-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1340-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1340-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1340-72-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1484-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1484-88-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1016-89-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1016-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1016-94-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1016-98-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1016-99-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1340	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe
1340	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 1340	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	27
PID 1992 set thread context of 1484	1992	winlogon.exe	30
PID 1484 set thread context of 1016	1484	winlogon.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://80inpi4463k9040.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://p40rykc321205wy.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://j860wtu3369476u.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://np27o66aoq8tmi6.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://2w9kr7bwi384v39.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000c6c055c0d59cfacca12cda37dda821c3a456ab1f1dac2512c29a92d039018c60000000000e80000000020000200000005a1bc3978bcd8f4a9a63a7718a07156cb38346c0f9a167123a9322601abcff4290000000a35f754d55b9a17945d8fcd937818037978328b47bf00720b166b20dbf018f8260cc11efad33f982d03abdec5480fab187a9f36cbe47cd3ee4608630ea7fe8bafb7314697704e720dffc2a1c1a1ebbde73ef57e2d14a0249455f83018073118f90f8caa759f7d6be3655c791db6d042100246d874f73f146bef3e4af4e7400e92a63693e7efce5bf7a6dec822486341340000000dff1bffade7ffbae7c7a7bf334ab78e755125589a73be1a996c042b266fdd1f4a139f7e45aa89f30bfc014517aae7d1746e55a90c7ffe51ae2e57cef3f816c5a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D1389B41-5896-11ED-9332-6A94EDCEDC7A} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80831da1a3ecd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://204bl4o705yi86w.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373929008"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://7945sl0kcjw973y.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000a76f891f669a821821f9ee34cce443c4d120bd33598c1f66e981d50ca2c82d53000000000e80000000020000200000009b20a5acd8ca39ec50c0f270bd796ecc6612cf3dfa29f0f02172b963b851702720000000b5aa96175bfdc8fa08bf42356bf5f031675be5b09f954bdcbda3f1c7008e8fe140000000693a693d11b0119e14be7c65d0ef8e53a7dd0ad7c2fc36ab8b8017d3fcd01f364dfe695c851593027dc02e7c752d3830508ac6d8b8c3598d9fb5791cc95176d2	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://x44ail62jwk044o.directorio-w.com"	winlogon.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://jc7c3x7e30cdzg6.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://jch402fb5219eor.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1016	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1016	winlogon.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
360	iexplore.exe
360	iexplore.exe
360	iexplore.exe
360	iexplore.exe
360	iexplore.exe
360	iexplore.exe
360	iexplore.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
1340	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe
1484	winlogon.exe
1016	winlogon.exe
360	iexplore.exe
360	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
360	iexplore.exe
360	iexplore.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
360	iexplore.exe
360	iexplore.exe
1616	IEXPLORE.EXE
1616	IEXPLORE.EXE
360	iexplore.exe
360	iexplore.exe
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
360	iexplore.exe
360	iexplore.exe
1620	IEXPLORE.EXE
1620	IEXPLORE.EXE
360	iexplore.exe
360	iexplore.exe
2420	IEXPLORE.EXE
2420	IEXPLORE.EXE
360	iexplore.exe
360	iexplore.exe
1692	IEXPLORE.EXE
1692	IEXPLORE.EXE
1016	winlogon.exe
1016	winlogon.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 544	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	26
PID 2036 wrote to memory of 544	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	26
PID 2036 wrote to memory of 544	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	26
PID 2036 wrote to memory of 544	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	26
PID 2036 wrote to memory of 1340	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	27
PID 2036 wrote to memory of 1340	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	27
PID 2036 wrote to memory of 1340	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	27
PID 2036 wrote to memory of 1340	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	27
PID 2036 wrote to memory of 1340	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	27
PID 2036 wrote to memory of 1340	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	27
PID 2036 wrote to memory of 1340	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	27
PID 2036 wrote to memory of 1340	2036	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	27
PID 1340 wrote to memory of 1992	1340	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	28
PID 1340 wrote to memory of 1992	1340	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	28
PID 1340 wrote to memory of 1992	1340	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	28
PID 1340 wrote to memory of 1992	1340	24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe	28
PID 1992 wrote to memory of 1800	1992	winlogon.exe	29
PID 1992 wrote to memory of 1800	1992	winlogon.exe	29
PID 1992 wrote to memory of 1800	1992	winlogon.exe	29
PID 1992 wrote to memory of 1800	1992	winlogon.exe	29
PID 1992 wrote to memory of 1484	1992	winlogon.exe	30
PID 1992 wrote to memory of 1484	1992	winlogon.exe	30
PID 1992 wrote to memory of 1484	1992	winlogon.exe	30
PID 1992 wrote to memory of 1484	1992	winlogon.exe	30
PID 1992 wrote to memory of 1484	1992	winlogon.exe	30
PID 1992 wrote to memory of 1484	1992	winlogon.exe	30
PID 1992 wrote to memory of 1484	1992	winlogon.exe	30
PID 1992 wrote to memory of 1484	1992	winlogon.exe	30
PID 1484 wrote to memory of 1016	1484	winlogon.exe	33
PID 1484 wrote to memory of 1016	1484	winlogon.exe	33
PID 1484 wrote to memory of 1016	1484	winlogon.exe	33
PID 1484 wrote to memory of 1016	1484	winlogon.exe	33
PID 1484 wrote to memory of 1016	1484	winlogon.exe	33
PID 1484 wrote to memory of 1016	1484	winlogon.exe	33
PID 1484 wrote to memory of 1016	1484	winlogon.exe	33
PID 1484 wrote to memory of 1016	1484	winlogon.exe	33
PID 1484 wrote to memory of 1016	1484	winlogon.exe	33
PID 360 wrote to memory of 1620	360	iexplore.exe	38
PID 360 wrote to memory of 1620	360	iexplore.exe	38
PID 360 wrote to memory of 1620	360	iexplore.exe	38
PID 360 wrote to memory of 1620	360	iexplore.exe	38
PID 360 wrote to memory of 1692	360	iexplore.exe	40
PID 360 wrote to memory of 1692	360	iexplore.exe	40
PID 360 wrote to memory of 1692	360	iexplore.exe	40
PID 360 wrote to memory of 1692	360	iexplore.exe	40
PID 360 wrote to memory of 1616	360	iexplore.exe	41
PID 360 wrote to memory of 1616	360	iexplore.exe	41
PID 360 wrote to memory of 1616	360	iexplore.exe	41
PID 360 wrote to memory of 1616	360	iexplore.exe	41
PID 360 wrote to memory of 1492	360	iexplore.exe	42
PID 360 wrote to memory of 1492	360	iexplore.exe	42
PID 360 wrote to memory of 1492	360	iexplore.exe	42
PID 360 wrote to memory of 1492	360	iexplore.exe	42
PID 360 wrote to memory of 2420	360	iexplore.exe	43
PID 360 wrote to memory of 2420	360	iexplore.exe	43
PID 360 wrote to memory of 2420	360	iexplore.exe	43
PID 360 wrote to memory of 2420	360	iexplore.exe	43

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe
"C:\Users\Admin\AppData\Local\Temp\24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:544
- C:\Users\Admin\AppData\Local\Temp\24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1992
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:1800
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1484
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1016

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1556

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:360
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:472072 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1692
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:865295 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1616
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:406545 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1492
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:360 CREDAT:4076562 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
e85c3033b5a1d54a616c7361f88dd851

SHA1
a1106c716e6a3b6ea251e4cb89f610268fa4ef97

SHA256
1abaac8a006e99121082053817d7eb66918b038d1e97c7aee0e9725d0ef39dfa

SHA512
91675ed0c855f4b756064bf2e9365786eb70cda80398a171683aadfeb2e7807319691a250f55af0d67cdcfc64435f6d4e74dc86b9916af2719a83715d9ed3b21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
f6005e2378b0b6247732d3bff755805b

SHA1
d41adeb7ada78498d34f892824d5e29a1092ddce

SHA256
415189e45cc6001b8a8ad6ba930f5674c8bdecd8b190c093e93c0046ded04bca

SHA512
50d8cb26ddfc70421c159fbbada3cbfd847070ebed243413763b0affa557992a7ffbcfbec285ffeabc2f1a06f2d33d650fa122cb709cb238733122756b04529f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
cfa7162e90a9d620a3e80239ea1364b9

SHA1
f536cdbf8ae0af221f93fe7f9eab5eb1540930ac

SHA256
ef610d5fdc39d6541128cb34fc7590ae1ee6b24966d2c44b1542064bf5ebfeb4

SHA512
0d4a32faa4f3c7ca13ae8bdf70be9edab92078f4fa1d428099f7631440de490b63698ee95a064620004c7cf19e16f7d1154de5b933eda9cb65f0d59eebcc76a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_FF62BD756A5FABB9D839CE721823CD76

Filesize
471B

MD5
2e2bd4b97aca6a0eec8270833c2cb16a

SHA1
0e256dc85f9f91643c009971483db657c7947788

SHA256
6763be97e81767383bc3bfdb88622403474845e2fffd9bbc6faae735a1d52e33

SHA512
8d60edd37e423659b856f8aceb6a9a2cfe5f4725215b92bf88cc9c66b038695dab799f189394eb99593d98c9d0c1e335f19cc33951ddb9f8be94061ed366776d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
25eb089fed693f5d06108af884eda629

SHA1
745561abb934bff3747af4bf22cb672c9e319b84

SHA256
172f3c3b148c792d908ea5d803c2f6093752165fa8de6156afc3fde95400a6df

SHA512
189d53580632791bc8c45b9486d638890de5c78ef7d5a43a3de9f6f301eaa5783956180feda799e1f493dc08a8a97d6e6019b952a3be69fef064f59c63c4c185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
ddd32e5b5ab2d9e6999d9c8d08f067f7

SHA1
c61948dfa7859239f7c9879fdd6b8f27929d2fcb

SHA256
b3aabca93f7d612fececa69a4a385d5b04588a709e57be0fb8daadfe42464070

SHA512
f0ea9f24bb2ddbe5a9df4a0cf0c3c41beb8aff9ac28fa3dea10714a86be455bfa33a8607420d1140cf7042f709ec3cf35f3b108e69cfc8f12b794277210453b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aeaeccfe905b66ba89a016cd3edd248a

SHA1
34f99d15102697662daa01937308700580ff75c4

SHA256
0fbdd8f51b9f8fc829f52b3daa31d5d2a6ca992fa498d9ad3465c4ee34f6009e

SHA512
89fec19bb0900296b7be24a3208d5d13ec4a42814f6fd85adfd8a2b5353340013e8be49786f0c517543cc6076934ce1e0c40b21a2877e6290a4c1c42f49149c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6b3bbf69ff953aa5adcc946d09e865a

SHA1
ef6a8a9264913028efd06ec79c33ac8fcc27928c

SHA256
23007ace649d345543f90837ec2a44e90101893afc75cc53fe3c47c7b85e6f84

SHA512
76d2ee196792135663609ea4b389bdfe9f33541f433f696bd699ca1519dc6222d71abeb8dac30357989ca92ebe011e5569acbe52fa612139b5a69b8dcd3ed6e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6894a65103b34f43ad2ccd9f77acd615

SHA1
af09bbe58f75ceeb2a9f9f71fe5e5ec421b3bc3d

SHA256
7da6886e55ce13283363cdaec1ee2554e32fbb27b5f05a5363cb383366bac5dd

SHA512
6cd3da46f9dc989fcd8ae0336d1b77ad4a3b450e71501a0047a3e94828582b0e73a083b1071b9443f9c3381b5d0449d15f875e1cb0f43127a5026b601ad87ee4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a02a5f1abb728b3e79501f632ad49d77

SHA1
2b2786a6619a2ee9c9bf10689a0f7fefc84def90

SHA256
56ad8af65b7ac181536da3218e954acefa99de5ea2333b07dcbd907f4f2f20a0

SHA512
ca2db3389111795f2f2fed0fd7190150a07c55f824bd310f16f07a1359a34b7e76b74818943f29087aadc4fec2d9d9eb35c0bf6ce0323f1b52ca9955bb0fd470

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e150243082bbb650c08ad7be3e7f8a0c

SHA1
87b1511e2f1afec23946b407170249fcbe7e6e37

SHA256
3f1875a5ee6bf409b0df6c7913668d531fd8f2e3b76a2b46d86ee82e4284b586

SHA512
f780c8455a1223d67f6f7c3a5d1341db8e01f0f40670fa296be8d31f0d3bf7e1a7b81bc27abc88e729174367f6081928620a3dcc2efe8753ee4f5fc761338678

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e35f3b1555d40f4728677e2a00af80d

SHA1
478ad72ded09bbdb7b0bf8ad00bbd1f3d21c8ce9

SHA256
d2c4a1a792bc2138b8b99c1dbe3a213b319f2f35a314bec086d84b5cbe439237

SHA512
31cc05722c939305017d19662de5318e1ad5a5f8d806d453550c3cf1144f510e1f3e795b10f6db83b1b2faed86ff1288e9e6687a0dd76dcd1d52430a16034598

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47f0c6ab854f81f95cd502aeac6391d0

SHA1
4268fc7c053f0284662334370b3ccda7f5e5d720

SHA256
2678bea7647332459e9b3f482ccc53e53393faeb0c28002d996ddb5031f75518

SHA512
bc15637d496d61540c8cb28bc46e59acfd01763fa5a2f85c4522ea1e787b7e92f49e80c354032afbf94baef8b4ee6037346686eef9b3f6b03cb333b7861688dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
94a42b3b6cded5c627ace2aedb315520

SHA1
7a01a8cd00f5dcf2663b71f487a307cce15e5a0b

SHA256
8054b4e983d5c66e9b519106ce5df4d6910d0673d11e03183fda4b9b5ffee492

SHA512
93f41959d38b78c3104e3ecdb00ac2fdd46fdd8b171f33f7fcfc4d4795518a31fc238e7ae5bf6c7cec564cf56af3bb4c0d6c0701046430f83c74bb7815fdbf5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
66453e83e088d4d0a0c9cf7fd4cd7c7d

SHA1
151c29856d2e8a5c81e0f95e3bb7e44f3cf4001b

SHA256
13b0b27a16660833685431312a2f6924f8d5beff0f5b107353a99b03b96085a7

SHA512
215af314b734110a83883d0dadbe5ddae560713ffdecdb2de84ef6a7642a7ab7713763dfd6b5f02f43107beb46646bebed04d720eda5ea015597269c8938ff6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_FF62BD756A5FABB9D839CE721823CD76

Filesize
406B

MD5
453d3f7fa96e87ef4c26fdde367758c4

SHA1
c8c1ac9c865accfa3b9088750320ac55bcd15daf

SHA256
2d6c4d543f59024530cd0807991f6ce1b1fd267b82f3a941b363b84168c6ea55

SHA512
a14dbf6953ac70e425b57371bacb99d4d1142c68bc0ebca10e0816345d00deec7b7f3c6755e6d799c3689711ec552a294c9630b498de5d7a40ab931b2f834318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ec9e7d4662825a3d76d956ef01ded3a5

SHA1
b1d26ba76b0d287a8d6b6e3e44617619bc1e053a

SHA256
a40463934ac51aef493f36b3029d4c6b8b1f703a71c399b645115b5660019fdb

SHA512
d7ae5f33763b9be0802fc22c060fbc7bd48ba12729c884d8f20538e18012c83f26a99410b32be2d339a9ee3f44269da0e55a6c7988d6bae03a2280a80087c940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\I9ZCWY4S\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HDRO8BQI.txt

Filesize
608B

MD5
8173ad4e2f6d121809d248d09e1c5f54

SHA1
37a1fb7eafd18bb8eb9ba552c76cbeba505cc4d0

SHA256
2a7d561cd0e2d0150b984f524e7b37358adf581c1d4d6746a81103542929d127

SHA512
a33514eda7802d3e7b2c0efe81534001c711a00760acd0d2ce397423df6ac238d9f2e76d368425b999338f55e4c81067a4668095d77c618fdb0ff439e52b33f9

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.9MB

MD5
84ecdc6ed6bbc62cc62153aad85f7c66

SHA1
6a5697f831fc5c0f92ae61bf01f1ff019fd75360

SHA256
24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc

SHA512
3fd4f80612c5527c487ea65f64e7b5e03bf34fc4662489ce8b6872c46be240aadceb404b12fe8b08a77baf4337a1c499a1c00dba751b31bad466d10f9c792791

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.9MB

MD5
84ecdc6ed6bbc62cc62153aad85f7c66

SHA1
6a5697f831fc5c0f92ae61bf01f1ff019fd75360

SHA256
24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc

SHA512
3fd4f80612c5527c487ea65f64e7b5e03bf34fc4662489ce8b6872c46be240aadceb404b12fe8b08a77baf4337a1c499a1c00dba751b31bad466d10f9c792791

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.9MB

MD5
84ecdc6ed6bbc62cc62153aad85f7c66

SHA1
6a5697f831fc5c0f92ae61bf01f1ff019fd75360

SHA256
24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc

SHA512
3fd4f80612c5527c487ea65f64e7b5e03bf34fc4662489ce8b6872c46be240aadceb404b12fe8b08a77baf4337a1c499a1c00dba751b31bad466d10f9c792791

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.9MB

MD5
84ecdc6ed6bbc62cc62153aad85f7c66

SHA1
6a5697f831fc5c0f92ae61bf01f1ff019fd75360

SHA256
24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc

SHA512
3fd4f80612c5527c487ea65f64e7b5e03bf34fc4662489ce8b6872c46be240aadceb404b12fe8b08a77baf4337a1c499a1c00dba751b31bad466d10f9c792791

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.9MB

MD5
84ecdc6ed6bbc62cc62153aad85f7c66

SHA1
6a5697f831fc5c0f92ae61bf01f1ff019fd75360

SHA256
24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc

SHA512
3fd4f80612c5527c487ea65f64e7b5e03bf34fc4662489ce8b6872c46be240aadceb404b12fe8b08a77baf4337a1c499a1c00dba751b31bad466d10f9c792791

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.9MB

MD5
84ecdc6ed6bbc62cc62153aad85f7c66

SHA1
6a5697f831fc5c0f92ae61bf01f1ff019fd75360

SHA256
24034621fb089223807ae4013fe761917c3c185c09b106c36ed8f897c8501cbc

SHA512
3fd4f80612c5527c487ea65f64e7b5e03bf34fc4662489ce8b6872c46be240aadceb404b12fe8b08a77baf4337a1c499a1c00dba751b31bad466d10f9c792791

Download Submit
memory/1016-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-94-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1016-122-0x00000000039F0000-0x0000000004A52000-memory.dmp

Filesize
16.4MB

Download
memory/1340-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1340-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1340-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1340-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1340-66-0x0000000076151000-0x0000000076153000-memory.dmp

Filesize
8KB

Download
memory/1340-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1340-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1340-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1484-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1484-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download